- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 19 Jan 2015 13:43:58 +0100
- To: Paul Libbrecht <paul@hoplahup.net>
- Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
On Mon, Jan 19, 2015 at 1:35 PM, Paul Libbrecht <paul@hoplahup.net> wrote: > You got it right: we need to teach users to differentiate. > > And that could be done by UIs. > Users' banks, and most financial statements sites, are probably identified > by an EV cert… that's quite a difference to a startSSL cert in terms of UIs > nowadays. > That difference would be enough already to my taste. No way. That is way too subtle a distinction. Users are not going to remember what type of certificate a site used and based on that decide to not work with it next time around (if it changed). Not to mention that this would still leak all your credentials given that those are scoped by origin. -- https://annevankesteren.nl/
Received on Monday, 19 January 2015 12:44:22 UTC